1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
New York Health Information Security and Privacy Collaboration
Standardized Consumer Consent Policies and Procedures
for RHIOs in New York State
December 21, 2007
Invitation to Comment:
The Health Information Security and Privacy Collaborative (HISPC) is a national
initiative funded by the federal Office of the National Coordinator for Health IT and
Agency for Health Research and Quality to examine how privacy and security laws
impact business practices related to electronic health information exchange. The
purpose of this document from the New York HISPC team is to put forth for public
comment recommended policies and guidelines governing consumer consent for the
exchange of personal health information in a technology-enabled health care
environment facilitated by Regional Health Information Organizations (RHIOs) in New
York State in order to protect privacy and strengthen security. Comments received will
be reviewed and considered during the development of final policy guidance that will be
issued by the New York State Department of Health. Please submit written comments
utilizing the form provided on the NYS HISPC website:
http://www.nyhealth.gov/technology/nyhispc/phase_ii/ to the Office of Health
Information Technology Transformation by January 31, 2008 via email:
This document is divided into the following eight sections:
I.
II.
III.
IV.
V.
VI.
VII.
VIII.
Introduction and Background ............................................................................... 2
The Health Information Privacy and Security Collaboration (HISPC): Project
Goals and Work Plan............................................................................................ 8
The Need for a Standardized Consent Process for RHIOs in New York State ... 12
Key Principles and Stakeholder Priorities ........................................................... 15
Recommendations.............................................................................................. 17
Discussion of Policy Considerations................................................................... 27
Next Steps .......................................................................................................... 31
Acknowledgements ............................................................................................ 32
1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
I.
Introduction and Background
Responding to growing evidence that interoperable health IT can support improvements
in health care quality, affordability and outcomes, New York State is making
considerable investments in transitioning its health care settings from today’s largely
paper-based environment to an electronic, interconnected health care system.
On August 8, 2007, the State of New York announced an ambitious new initiative to
promote interoperable health information exchange and new tools for quality and
population health measurement and reporting in New York. This initiative is part of
Governor Eliot Spitzer’s agenda to advance patient-centered care and enable
improvements in health care quality, affordability and outcomes for each person, family
and business in New York.
To launch this initiative, $105.75 million in State funding has been committed to support
the implementation of health IT infrastructure. The expected benefits include:
•
Improvements in Efficiency and Effectiveness of Care: Provide the right
information to the right clinician at the right time regardless of the venue where
the patient receives care.
•
Improvements in Quality of Care: Harness the power of clinical information to
support improvement in care coordination and disease management, help reorient the delivery of care around the patient and support quality-based
reimbursement reform initiatives.
•
Reduction in Costs of Care: Reduce health care costs over time by reducing
the costs associated with medical errors, duplicative tests and therapies,
uncoordinated and fragmented care, and preparing and transmitting data for
public health and hospital reporting.
•
Improvements in Outcomes of Care: Evaluate the effectiveness of various
interventions and monitor quality outcomes.
•
Engaging New Yorkers in Their Care: Lay the groundwork for New Yorkers to
have greater access to their personal health information and communicate
electronically with their physicians and designated care givers to improve quality,
affordability and outcomes.
New York's investment in health IT is significant for many reasons, chief among them
that it is by far the largest state investment to date in creating a public-private
governance and operating model to support interoperable health information exchange
and health IT tools for quality measurement and reporting and population health
improvement. As exciting as this opportunity is, it comes at a time when the health IT
environment is extremely dynamic. As New York charts it way through new waters, it
must take into account and respond to many issues, including increased consumer
2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
demand for health information; a newly emerging, but largely unregulated, commercial
market for health information; new clinical models for personalizing care based on
genetic and other types of information; new care delivery models, such as the medical
home, which depend on streamlined information transfer to support the continuity of
care; and new prevention and outcome-oriented reimbursement models where
information is needed to measure and account for outcomes and performance. At the
same time, concerns about the privacy and security of all types of personal information especially health information - abound, with daily headlines alerting the public to the
dangers of stolen laptops containing personal health information, cyber security threats,
phishing and other identity theft problems.
40
41
42
43
44
45
46
A central strategic focus of New York State’s efforts is to advance interoperability
through the development and implementation of a shared health information
infrastructure based on a community-driven model available to all providers, payers and
patients. The State health IT framework supports common policies, technical standards
and protocols, as well as regional “bottom-up” implementation approaches and care
coordination to allow local communities and regions to structure their own efforts based
on clinical and patient priorities. The framework seeks to promote innovation across the
In pursuing its health IT investment program, New York is cognizant that its success will
not only be measured by technical, operational, financial and clinical achievements, but
similarly by the policy framework and rules governing the exchange, measurement and
reporting of personal health information and organizations ensuring the adherence to
such policies. In fact, the establishment of public trust with respect to the privacy and
security of health information is the single most important goal of New York's health IT
investment program.
In pursuing this goal, New York benefits from policy thinking developed by several
important initiatives which have addressed privacy and security, including: the Markle
Foundation's Connecting for Health initiative; the California Healthcare Foundation's
policy briefs on privacy and consumer attitudes and important policy forums; studies
advanced by such organizations as the American Health Information Management
Association (AHIMA), eHealth Initiative, Healthcare Information Management Systems
Society (HIMSS), and National Alliance for Health Information Technology (NAHIT), the
Health Information Security and Privacy Collaborative (HISPC); and the Certification
Commission on Healthcare Information Technology’s (CCHIT) work on privacy and
security-related product certifications. In a very real sense, New York's investment
program builds on the collective foundation of these policy efforts and at the same time
seeks to go one step further. Because New York is setting policy in the context of live
implementations and is doing so through a statewide public-private collaborative model
it presents a unique opportunity to stress test new concepts which to date have largely
been considered in either much smaller settings, on a theoretical basis or based on
proprietary and/or narrow technological approaches. Hopefully, New York's experience
will provide all stakeholders a much richer understanding of what works and what
doesn't work, and will help to inform and shape emerging state and national policy.
Achieving Interoperability
3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
diversity of New York’s health care delivery settings - from solo physician offices and
community health centers to large academic medical centers, nursing homes and multispecialty physician practices, from Manhattan to rural upstate towns - with vastly
differing market conditions and health care needs.
Interoperability is essential to realizing the expected benefit from health IT; vastly
improving the availability and use of health information to improve patient care.
Perpetuating siloed information systems that do not interconnect will significantly
impede the adoption and effective use of health IT tools. Interoperability enables
patient health information to be exchanged in real time among disparate clinicians, other
authorized entities and patients while ensuring security, privacy and other protections.
Interoperability is necessary for compiling the complete experience of a patient’s care
and ensuring it is accessible to clinicians as the patient moves through various
healthcare settings. This will support clinicians in making fact-based decisions so
medical errors and redundant tests can be reduced and care coordination improved.
Interoperability is critical to cost-effective, timely and standardized data aggregation and
reporting for quality measurement, population health improvement, biosurveillance, and
clinical research. Interoperability is also needed for patients to have access to their own
personal health information, enabling it to be portable, not tethered to a particular payer
or provider.
To ensure interoperability, the State is seeking to support the implementation of three
interrelated components of New York’s health information infrastructure –
organizational, clinical and technical. The successful implementation of New York’s
health information infrastructure must emerge from these three intertwined capabilities
in order to realize the benefit of health information with respect to improving health care
quality, reducing costs and improving outcomes for all New Yorkers. Achieving these
benefits is dependent on much more than just technology. For example, interoperability
is as much a function of trust as technology or clinical participation, and is achieved
through policy and governance.
The high-level technical framework for New York’s health information infrastructure is
comprised of three main layers and is depicted in figure 1 below1.
•
A Statewide Health Information Network for New York (SHIN-NY) is a
network of networks to interconnect clinicians to exchange patient information
regardless of the venue in which the patient receives care in order to deliver the
right care at the right time in a coordinated, patient-centered manner. The SHINNY will utilize the Internet and include common software protocols and services,
including security tools, and will be a part of the emerging Nationwide Health
Information Network (NHIN).
1
For additional information, a technical discussion document published as part of the HEAL NY Phase 5 Health IT
RGA is located on the DOH website: http://www.nyhealth.gov/funding/rfa/0708160258/
4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
•
Clinical Informatics Services (CIS) are community-based health IT tools which
aggregate, analyze, measure and report data in a standardized and valid manner
for various uses, including quality and population health initiatives, available to all
payers, providers and public health officials.
•
Information Tools (3Cs) are Electronic Health Records for Clinicians, Personal
Health Records for Consumers and Community Portals for clinicians and public
health officials, collectively the 3Cs, providing: (i) clinicians with information tools
when and where they need them to guide medical decisions, (ii) New Yorkers
with greater control over and access to their health information and (iii) Public
Health Officials with the ability to survey, report and respond to population health
events.
Figure 1
Framework for New York’s
Health Information Infrastructure
“Cross-Sectional” Interoperability
APPLY
Clinician/EHR
AGGREGATE
&
ANALYZE
Consumer/PHR
Community
Clinical Informatics Services
Aggregation
ACCESS
– People, Data, Systems
Measurement
Reporting
Statewide Health Information Network – NY (SHIN-NY)
16
17
18
19
The Role of Regional Health Information Organizations
20
21
22
Underlying this infrastructure and central to its successful implementation are Regional
Health Information Organizations (RHIOs). RHIOs, working with other RHIOs,
governments and other organizations, must create an environment that assures
5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
effective health information exchange both organizationally and technically through a
sound governance structure. While the term RHIO is not presently defined in federal or
state law, RHIOs are defined in New York State HEAL NY Phase 5 Request for Grant
Applications as “a non-governmental, multi-stakeholder organization that exists as a
New York State not-for-profit corporation to advance interoperable health IT in the
public’s interest through a transparent governance structure with an overall mission to
improve health care quality and safety and reduce costs.” RHIOs are not technology
organizations, do not develop software and are not proprietary regional health
information exchange (HIE) networks. They are regional “exchange organizers or
governors” which set policies and ensure adherence to such policies to enable the
implementation of the SHIN-NY, and ensure other components of the technical
infrastructure such as the CIS and EHRs are interoperable. The term health information
exchange is a verb defining the act or function of mobilizing and sharing health
information and the term SHIN-NY defined above is New York’s name for health
information exchange. The term Health Information Service Provider (HISP) is a vendor
company which develops health information exchange software and services and/or
supports the implementation of such software and services.
22
Figure 2
As described more fully below in Figure 2 below, there are seven critical components of
the definition of a RHIO.
23
24
Seven Critical Components of the RHIO Definition
25
Nature of participants
Governance
Purpose of exchange/Mission
26
Multi-stakeholder
Transparent policy framework,
inclusive decision
making process
Improve quality, safety,
efficiency of care
Type of information exchanged
Clinical data
How information is exchanged
Protocols, standards and services
via SHIN-NY
Scope of services
Security, authentication,
authorization, access,
auditing policies, other info
policies
Consumer Access
Provisions for ensuring
consumer access to and
control of data
6
1
2
3
4
5
6
7
8
One of the main functions of a RHIO is to act as a governor or trusted broker to
establish, maintain and enforce privacy and security policies for multiple entities and for
multiple purposes. Establishing a trusted broker for health information is not merely a
matter of implementing a technical solution compliant with State and federal law. It
requires developing consensus and trust around value-laden policy decisions, which are
then translated into business procedures and eventually reflected in contractual
relationships between RHIO participants.
9
10
11
12
The purpose of this paper is to provide guidance to RHIOs and their participants
regarding a crucial component of interoperable health information exchange: patient
consent. Patient consent must be implemented through a suite of common policies to
ensure informed and trusted patient consent.
13
14
15
16
17
18
19
20
21
22
23
24
25
While this paper is focused on patient consent policies, it is important to emphasize that
consent policies must be accompanied by a full range of privacy and security
protections to earn patient trust and enable successful health information exchange.
The consent policies outlined in this paper must be buttressed by additional policies for
privacy and security, including authentication of provider/consumer identity,
authorization for access, consumer and provider identification, transmission security,
data integrity and administrative and physical security, all of which remain a priority for
New York State and are encompassed in the policy framework.
It also is important to recognize that the recommendations in this paper provide a
starting point for a longer discussion. While the recommended policies outlined below
are often specific and directive in nature, more detailed guidance will be necessary to
enable full implementation.
26
27
28
Consumer Access Services - Supporting the Right of New Yorkers to Have
Greater Control Over and Access to Their Personal Health Information
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
As we advance health IT in New York, there is a significant opportunity to expand the
way in which we have traditionally thought about consumer rights to access and use
their own personal health information. Consumer access to and use of their personal
health information is necessary to realize the full potential of the range of
technologically-enabled care advancements. Redefining consumers’ rights, however,
will require a paradigm shift in how we think about health information – supplementing
the current legal structure which focuses on clinician control over the medical record
and under what circumstances disclosures of such information are permissible - with a
new legal structure that affirmatively provides consumers with the right to gain access to
their personal health information, regardless of the source of such information, and
supports the consumer’s ability to maintain such information for his or her personal use.
While consumer access services and personal health records are not the focus of this
paper, it is important to note that RHIOs can, and hopefully will, play an important role in
enhancing consumer access to their own personal health information.
44
7
1
2
II. The Health Information Privacy and Security Collaboration (HISPC): Project
Goals and Work Plan
3
4
5
6
HISPC is a national initiative funded by the federal Office of the National Coordinator for
Health IT and Agency for Health Research and Quality to examine how privacy and
security laws impact business practices related to electronic HIE. The stated objectives
of HISPC are to:
7
8
9
10
11
12
13
14
•
•
•
Preserve privacy and security protections in a manner consistent with
interoperable health information exchange;
Promote stakeholder identification of practical solutions and implementation
strategies through an open and transparent consensus-building process; and
Create a knowledge base on privacy and security issues in electronic health
information exchange in states and communities that endure to inform future HIE
activities.
15
NY HISPC Phase I
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
In 2006, New York State was one of 34 States and territories awarded a HISPC
contract. The New York State Department of Health (NYS DOH) served as the lead
agency for this project in New York State. Phase I spanned from March 2006 to April
2007 and involved a comprehensive assessment of health privacy legal and policy
issues in New York State. Major findings of NY HISPC Phase I included the following:
•
•
•
•
•
•
•
•
Human Judgment in Information Exchange: Information exchange currently
relies heavily on human judgment and interaction to ensure security and privacy
of health information
From One-to-One to Many-to-Many: Moving to a broad transfer of information
to many persons or entities may require layers of sophisticated permissions and
controls.
Informed Patient Consent: Informed patient consent that is meaningful,
tracked and monitored is a key requirement to earning patient trust in HIE.
Sensitive Data: Differing regulations governing specially protected health
information present challenges for staff education and compliance.
Appropriate Scope of Disclosure: There is a need to more clearly define who
needs to see what information and to understand how to accommodate
appropriate access in an electronic environment.
Patient Care and Patient Privacy: There exists a delicate balance between
patient privacy and the need for information for treatment.
Security in an Electronic World: There is a heightened sense of vulnerability
regarding identifiable health care information in electronic form.
Patient Control: There is an opportunity to create an environment that supports
the right of consumers to control the use of their own personal health information.
8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
•
Role of Regional Health Information Organizations (RHIOs): RHIOs can play
an important role in HIE by acting as a trusted broker to establish and maintain
privacy and security policies.
A central finding of phase one of HISPC was that strong policies that protect the privacy
and security of health information are crucial to achieving interoperable health
information exchange. Current laws governing HIE and the resulting business practices
were developed in the context of a paper-based health care setting where decisions on
what to communicate, how and to whom are generally made on a one-to-one basis by
clinicians. The current laws attempt to serve the patient’s privacy interests by restricting
what can and cannot be shared and the terms on which sharing takes place. Human
judgment and personal relationships play a major role, as clinicians attempt to act as
the guardian of their patients’ information. Moving from a paper to an electronic health
system changes the information sharing dynamic. An interoperable health system
facilitates a many-to-many relationship, enabling different information technology
systems and software applications to exchange information accurately, effectively, and
consistently. This offers new opportunities for patient access to and control over their
health care information, as well facilitating the safety, quality and efficiency of their care.
However, it also demands new approaches for protecting patient privacy and security,
including policies addressing the disclosure and use of health care information, and
technologies that address patient identification, authentication, record location, identity
management, and storage of special classes of information.
The NY HISPC Phase I advanced an “Implementation Framework” highlighted in Figure
3 below. One of the four priority solution areas was consumer consent – ensuring that
consumers are able to provide informed and meaningful consent and that holders of
consumer health information adhere to State and Federal privacy and security laws as
they exchange health information electronically.
9
1
2
3
Figure 3
NY HISPC Phase I Implementation Framework
Patient Engagement
Priority Solutions
Areas
Consent
Security/Access/Use
Patient Identification
Leadership
Entity
Implementation
Approach
Accreditation
Process
Establish a private
Identify or establish
sector accreditation
an independent,
process for RHIOs
statewide, publicthat ensures a
private group to:
minimum level of
•Convene
privacy and security
stakeholders
practices across the
state.
•Align HIE policies
Evaluate whether
•Identify best
accreditation would
practices
qualify for certain
•Publish
benefits such as
recommendations
eligibility for state
funding, access to
•Provide technical,
Medicaid data, etc.
business practice
and policy guidance
Clarification
of Laws
Establish a
shared
interpretation of
relevant state
and federal
regulations that
impact HIE.
New Laws
Create new law
where necessary
to govern the
electronic
exchange of
health
information.
4
5
6
7
8
9
10
11
12
13
NY HISPC Phase II
The second phase of NY HISPC began in June 2007, with NYS DOH as the lead
agency, and has focused on implementing a patient consent solution through the
development of a standardized consent process. The goal of this standardized process
is to promote consistency across NYS RHIOs, as exchange organizers and governors
of the SHIN-NY, in obtaining consent and addressing consumer privacy concerns about
electronic exchange of health information. Specifically NY HISPC Phase II project goals
are to:
14
15
16
•
Advance health information exchange via the SHIN-NY through the development
of a standardized consent process implemented through and facilitated by RHIOs
in NYS
17
•
Ensure that consumer consent is informed and knowing
18
•
Provide clarity on and ensure consistency in consent process
19
20
•
Give RHIOs standing to address patient consent on behalf of physicians,
providers and New Yorkers
21
•
Enable incentives and protections to encourage RHIO participation.
22
23
24
The duration of the project is from June 2007 through January 2008; the process is
represented in Figure 4, below:
10
1
Figure 4
2
NY HISPC Phase II Project Timeline
3
4
July
Project
Kickoff and
Planning
August
September
October
November
December
January
08
Facilitate Stakeholder Meetings
Propose Strawman
Recommendations
Post White Paper and Solicit
Public Comments
5
Submit Final
Recommendations
to SDOH
6
7
8
9
10
11
12
13
14
15
16
To engage in a statewide dialogue on consent, three stakeholder meetings were held in
September and October 2007 to identify consent-related issues and gain consensus on
a standardized approach. The meetings were attended by consumer advocates, health
care providers, RHIO executive and clinical leadership, representatives from the City
Department of Health, and others. The first meeting was dedicated to understanding the
current state of RHIO policy development regarding consent in New York. The second
meeting sought to elicit discussion on the key policy questions that a new consent policy
for RHIOs would need to address. The key questions that provided the basis for this
discussion are outlined in Figure 5 below:
11
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Figure 5
Key Questions for Developing RHIO Consent Standards
Activities: What are the activities with respect to health information
exchange we are seeking to govern and support?
Obligations: What are the core obligations of a RHIO governing health
information exchange via SHIN-NY with respect to consumer consent?
•
Uses of information
•
Sensitive information
•
Where and at what point consent is obtained
•
Standardized consent process
•
Durability and revocability
•
Consumer engagement
•
Audit and transparency
Benefits/Penalties: What are the consequences, including benefits and
penalties, of meeting the obligations defined above?
Adoption/Compliance: How and by whom will compliance be enforced?
At the third meeting, “straw model” recommendations were proposed and discussed.
The policy guidance described in this document is the result of the discussion during
those three meetings.
This document outlines a standardized consent process, related roles and
responsibilities of RHIOs and participants as trusted custodians of health care
information, and consumer protection safeguards required to prevent inappropriate use
or disclosure of consumer health information. The policies described are still under
development. As such, public comments are strongly encouraged.
35 II.
The Need for a Standardized Consent Process for RHIOs in New York State
36
37
RHIOs across the State are struggling to define what constitutes adequate and
38
meaningful patient consent. Broad variation in opinion exists among stakeholders as to
39
what is required legally, what is appropriate for risk management purposes, what
40
constitutes the best public policy, what is best for New Yorkers and what is feasible from
41
an implementation perspective. Standardized consent policies will help earn patient
42
trust, provide clarity regarding compliance with New York law and ensure
43
interoperability via the SHIN-NY enabled and governed by RHIOs.
44
45
Standard Consent Policies for RHIOs are Necessary to Ensure Complete and
46
Consistent Health Information and Earn Patient Trust
12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Electronic health information exchange represents a paradigm shift in the way
information is exchanged between a consumer’s health care providers. In today’s
largely paper-based world, exchange of health information between providers generally
is managed by the consumer. In order for Provider A to obtain health information from
Provider B, the consumer must tell Provider A that they are receiving care by Provider B
and would like their health information to be shared. The consumer in effect is the
gatekeeper of a one-to-one relationship among various providers who are responsible
for their care.
36
37
38
39
40
41
42
43
44
45
46
New York State offers a fragmented State legal and regulatory framework on consumer
consent. Unlike HIPAA, New York’s extensive legal requirements governing the
collection, storage and exchange of health information are not organized into a single
regulatory scheme. State law governing health information is spread across dozens of
statutory and regulatory provisions. The result is a patchwork of requirements and
exceptions that vary greatly depending on the nature of the entity, type of information
involved and purpose of the disclosure. Gaps in legal/regulatory guidance result in
varying interpretations and diverse consumer consent policies across RHIOs. This is
apparent in the current HEAL NY Phase 1 funded projects, which have come to differing
conclusions about the mandates under state law, and are implementing a wide range of
patient consent policies as a result. Diverse consent policies are a barrier to
RHIOs usher in a new world by enabling the free flow of information, but fundamentally
change the one-to-one paradigm that exists in a paper-based world. RHIOs allow
providers for the first time to reach out to large networks of clinicians and providers
independent of the consumer to see what information is available and use it to aid in
that patient’s care. This brings obvious benefits to the patient – eliminating the burden
of gathering and transporting paper records, avoiding duplicative tests and procedures,
and ensuring their providers have the best information available to make medical
decisions and coordinate care. It also, however, takes away a measure of patient
control, and for some, brings a heightened sense of vulnerability related to the
transmission of identifiable health information across networks of providers in electronic
form.
Because of the paradigm shift inherent in health information exchange, an essential
cornerstone of New York State’s health IT policy is to ensure that consumers are
appropriately educated about how their health information can be shared and to provide
consumers with the informed opportunity to decide whether or not they desire to have
their information accessible via the SHIN-NY governed by RHIOs. If consumers are
not informed of the new paradigm, they have no way of understanding to what they are
consenting. Thus, from a consumer trust perspective, new consent policies which
clearly define the role of RHIOs (and clinicians, providers and payers participating in
RHIOs), coupled with significant provider and patient education programs, are crucial to
ensuring that consumers are provided with the opportunity to make informed decisions
with respect to with whom and for what purpose their personal health information is
shared and used.
RHIO Consent Standards will Facilitate Interoperability via SHIN-NY
13
1
2
3
4
5
interoperability. A standardized consent process will enable consistency across RHIOs,
eliminate interoperability barriers and reassure consumers that all RHIOs adhere to
minimum privacy standards with regard to exchange of their health information.
6
7
8
9
10
11
12
13
14
15
16
17
18
New York State law requires that hospitals, physicians and other health care providers
and HMOs obtain patient consent before disclosing personal health information for nonemergency treatment. Unlike HIPAA, New York State law provides no exception to this
requirement for treatment, payment or healthcare operations. While consent may be
verbal or even implied for most types of health information, this is not the case for
certain classes of specially protected health care information, including information
related to HIV status, mental health and genetic testing, which require written consent.
These laws reflect a desire to ensure that patients are protected from unauthorized uses
of personal health information and provide both a legal and normative guidepost for
developing consent policies for information exchange governed by RHIOs in New York.
Thus, under any circumstances, affirmative consent from the patient to exchange health
information via SHIN-NY governed by a RHIO is required under existing state law for
non-emergency treatment.
Consumer Consent is Currently Necessary under New York Law
19
20
21
State and Federal Law Provide an Insufficient Framework for the Regulation of
RHIOs
22
23
24
25
26
27
28
29
30
31
32
It is crucial that the state ensure adequate policies and standards are in place to protect
the integrity of RHIO activities and the privacy of the public. HIPAA applies only to
“covered entities,” which include certain health care providers, health plans and health
care clearinghouses. RHIOs are not health care providers, health plans or
clearinghouses2. Accordingly, at the present time, it does not appear that any of the
RHIOs will be covered entities.
Under HIPAA, a business associate is an organization that assists a covered entity in
performing certain health-related or administrative functions, and receives, creates or
maintains protected health information in connection with these activities. To date, most
if not all RHIOs in New York have been structured as business associates of RHIO
participants under two basic models:
•
33
34
35
36
37
“Peer-to-Peer” Model: The RHIO supports technology that enables providers to
exchange data directly with one another. The RHIO may facilitate access to
each provider’s data to ensure the proper functioning of the system. There is no
central data repository (CDR) governed by the RHIO. Under this model, the
RHIO is a business associate of each provider.
2
A health care clearinghouse is an entity that converts electronic HIPAA-covered transactions (i.e., claims
processing and other transactions between health care providers and health plans) from non-standard to standard
formats (or vice versa). By definition, RHIOs in New York are not performing such data conversion activities.
14
1
2
3
4
5
•
“Custodial CDR” Model: The RHIO supports a CDR in which each provider’s
data is stored. Each provider continues to own its data. The RHIO holds the
data on behalf of each provider as a custodian, and has no ownership rights in
the data. If a provider leaves the RHIO, the provider’s data must be returned or
destroyed. Under this model, the RHIO is a business associate of each provider.
6
7
8
9
10
11
12
13
A potential third model for health information exchange is an “Owner CDR” Model.
Under this model, the RHIO (or other entity facilitating health information exchange)
would not be a business associate of the participants in the data exchange. Instead,
the RHIO would own the data in its care. To implement this model, each provider would
be required by federal law to obtain a HIPAA authorization from each patient permitting
the transfer of his or her protected health information to the RHIO or other entity. The
HIPAA authorization itself would be required to state that the RHIO is not a covered
entity and therefore not required to comply with HIPAA.
14
15
16
17
18
19
20
21
22
23
It is not prudent to mandate that all SHIN-NY and CIS pilot projects be structured in a
manner that qualifies the RHIO as well as vendors and other technology service
offerings as a business associate of the participating providers. Such a mandate may
stifle innovation, such as new business models designed to create integrated data sets
comprised of data contributed by multiple providers to support disease management
and other quality interventions. At the same time, however, permitting the aggregation
of substantial amounts of health information in an entity that is outside the scope of
state or federal privacy regulation raises significant privacy and consumer protection
concerns, even if data is transmitted to the entity pursuant to patients’ HIPAA
authorization.
24
25
26
27
28
29
To address these competing considerations, the State should avoid dictating the
manner in which RHIOs fit within the HIPAA regulatory scheme, and instead, create a
cohesive State regulatory framework that applies directly to RHIOs. This framework
would include relevant aspects of HIPAA as a floor and other privacy laws to establish a
set of requirements governing the use and disclosure of information, security
safeguards, patient access to data and other matters.
30
31 III.
Key Principles and Stakeholder Priorities
32
33
The recommended policies for obtaining consumer consent to exchange personal
34
health information via the SHIN-NY governed by RHIOs were guided by several key
35
principles, summarized in Figure 6.
36
37
38
39
40
41
42
15
1
2
3
4
5
6
7
8
9
10
11
12
13
Figure 6
Key Principles of New Consent Policies and Procedures
¾ Promote patient-centered care by facilitating consumer choice
and addressing consumer concerns about privacy
¾ Promote exchange of comprehensive information ensuring
clinical effectiveness to improve the quality and efficiency of
care
¾ Minimize burdens on healthcare providers
¾ Be practical and “implementable” for RHIO participants
providing operational flexibility
¾ Be simple and clear with a concrete rationale
¾ Foster innovation while ensuring public trust
¾ Be neutral on technology model
14
15
16
17
18
19
These principles outline the core policy aspirations and practical considerations
necessary to implement interoperable health information exchange. Buy-in from
multiple stakeholder groups is important, and throughout the course of the public
meetings it was clear that stakeholders approach RHIOs with a host of pressing needs.
20
21
22
23
24
25
26
27
28
•
Consumers: Consumers seek assurance that they have a meaningful level
of control over who is able to access their protected health information. They
want choices and they want to have enough information in the consent
process to make that choice meaningful and knowing. Consumers want to
know that those who have access to their information use it to improve the
delivery and quality of their care, and do not use it in a way that could cause
them embarrassment or harm. Consumers are particularly concerned that
their sensitive health information is protected and only viewed by authorized
individuals for whom they enable access.
29
30
31
32
33
34
•
Clinicians: Clinicians want to ensure clinical effectiveness and high quality
care. They want access to a consumer’s complete medical record at the
point of care to enable the provision of consistent, high quality and safe
medical care. They are equally concerned that consent requirements do not
impose heavy burdens on them and their staff, especially for doctors in small
practice settings.
35
36
37
38
39
40
•
Provider Organizations: Provider organizations want assurance that
additional consent requirements do not impose heavy administrative,
technical and/or financial burdens on their organization and its resources.
Such institutions often already have internal information systems and want to
ensure that new systems can be implemented in harmony with existing work
flow and other requirements related to internal systems.
16
1
2
3
4
5
6
7
8
•
Payers: Payers increasingly are taking an active role in helping support
improvements in health outcomes for their members by employing personal
health records and disease management initiatives. With this in mind, payers
want access to clinical information on their members for the purpose of
delivering care management services, improving quality and reducing cost.
Payers also note that they are being asked to contribute to the cost of RHIOs
and to make claims data available to RHIO participants, and they want to
know that these investments will realize a benefit.
9
10
11
12
13
14
15
16
17
18
19
20
•
RHIO Executives: RHIO executives want to ensure that new consent policies
and procedures give RHIOs operational flexibility and support an evolving
landscape as they embark on implementing their health information
exchange. They are concerned that new consent policies and procedures will
be difficult to implement, sustain and monitor, and that they will place burdens
on providers that may reduce their participation. RHIO executives also are
concerned about how to fund mandates that are different from the standards
they have begun to implement. With limited resources, extremely small
central staffs and with guidance coming on the eve of or even just after
information has begun to flow, RHIO executives want to know that they will
have the funding necessary to support implementation of new and evolving
standards.
21
22
23
24
25
26
27
28
29
30
•
Government: Policymakers are charged with advancing health IT to support
improvements in health care quality, affordability and outcomes. Through a
statewide, multi-stakeholder process, health IT strategies are formulated in
the public’s interest and facilitate a dynamic, bi-directional information
infrastructure to support quality improvement interventions, public health
reporting and biosurveillance activities. Protecting the privacy of individuals
and earning and maintaining their trust is a top priority of policymakers;
understanding that success will be not realized without broad-based support
from patients, clinicians, providers, payers and other stakeholders in the
healthcare system.
31 IV.
Recommendations
32
33
The following policies and practices seek to provide specific guidance to RHIOs of
34
sound patient-centered public policy while at the same time being operationally and
35
financially feasible. Several areas, however, have been identified in which more
36
process and thought is necessary before more detailed recommendations can be put
37
forth. In those instances, the report recommends further action through a statewide
38
collaboration process facilitated by the New York’s public private partnership convened
39
by the NY eHealth Collaborative (NYeC) (described further in Section VIII).
40
41
42
43
The recommendations are summarized in Figure 7 and described in more detail below:
17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Figure 7
Recommended Policies and Standards for Consumer Consent to Exchange
Information via SHIN-NY governed by RHIOs
1) Scope of Governed Activities:
The new consent rules apply statewide to interoperable health information
exchange of patient identifiable health information via SHIN-NY governed by
RHIOs and their participants.
2) Affirmative Consent:
Each provider organization and payer organization participating in a RHIO must
obtain an affirmative consent from the consumer that specifically references the
RHIO prior to accessing her/his personal health information.
3) Up-Loading Data:
Health care providers may “upload” patient information to a RHIO without
patient consent.
4) Uses of Health Information:
Permissible uses of health information fall into two categories, each requiring
different types of consent.
5) Sensitive Health Information:
A single consent may be obtained to exchange all health information, including
all specially protected health information.
6) Consent Form:
RHIOs must use a State-approved consent form.
27
28
29
30
31
32
33
34
35
36
7) Durability and Revocability:
RHIO consents are both durable and revocable.
8) Consumer Engagement and Access:
RHIOs must comply with consumer education, engagement and access
standards.
9) Audits and Transparency:
RHIOs must conduct audits at least annually; inform consumers promptly of any
breaches and make audit trails available upon request. It is anticipated that online tools and paper-based reports will be utilized.
10) Benefits and Penalties:
To be eligible for State funding through HEAL and other initiatives, and to
receive Medicaid data, RHIOs must adhere to consent policies.
11) Enforcement:
Consent standards initially will be enforced through contractual relationships
between RHIOs and New York State, and should migrate towards requirements
for an accreditation process.
18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Scope of Governed Activities: The new consent rules apply
statewide to health information exchange of personal health
information via the SHIN-NY governed by RHIOs and their
participants.
The scope of activities that the following policies seek to govern includes all
interoperable health information exchange conducted through SHIN-NY and governed
by RHIOs. RHIOs are important because the definition of interoperability includes much
more than technical interoperability of information systems; it is people and policies or
organizational interoperability, also.
Health information exchanges, like SHIN-NY, use the term liquidity to express the level
of interoperability or rate of flow of assets through the exchange. Exchanges are
characterized as very liquid when almost all uses succeed (e.g., finding clinical
information about a patient to inform medical decisions; receiving a drug-drug
interaction alert). Conversely, in an illiquid exchange a large number of uses may fail
(e. g. not finding current and/or complete medication profiles for patients).
A high level of liquidity for the health information flowing through SHIN-NY is essential.
The key to generating liquidity in any exchange is the belief on the part of stakeholders
that uses of the exchange will succeed and be beneficial and that, in rare cases of
problems, the stakeholders will be protected and problems solved. This is as much a
function of trust as technology or clinical participation, and is achieved through policy
and governance, which is the main purpose of a RHIO. Thus, policies that govern the
SHIN-NY must be implemented through the RHIO, and the policy recommendations
outlined in this document are applicable to all RHIOs, or other similar entities governing
health information exchange.
RHIOs must ensure the health information service providers with whom they contract for
health information exchange software and services and the participants of the RHIO
comply with the minimum protocols, standards, and services of the new consent policies
and procedures. All statewide health information exchange enabled by a RHIO must
comply with RHIO protocols and standards related to consent, with limited exceptions
described below.
One exception relates to “one-to-one” electronic health information exchange. “One-toone” health information exchange taking place through a RHIO is not subject to new
consent policies. One-to-one exchange is best described as a request by a treating
clinician to receive information from or send information to an identified source (i.e.
either another clinician or an ancillary service provider.) Common examples include
physician referrals, a discharge summary being sent by a treating hospital to the
referring physician, or the delivery of lab results to the clinician who ordered the test.
One-to-one exchanges utilize technology to transfer information in a way that mirrors
paper-based exchange, in essence, simply replacing the facsimile machine with email.
Each one-to-one exchange is understood and predictable to the patient, and limited in
scope to the two exchanging providers.
19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
RHIOs may include one-to-one exchange services among their offerings. So long as
the RHIO has the capacity to separate this exchange – including policies and tools that
enable the types of exchanges within the RHIO to be readily distinguishable – RHIOs
need not apply the new consent policies to one-to-one components of the exchange.
Obviously, consent requirements in existing law applicable to any one-to-one exchange
remain in force.
40
41
42
43
44
45
46
Affirmative consent must be obtained by each provider and payer organization before
accessing health information via the SHIN-NY governed through the RHIO. Consent to
providers may be done at a provider or organizational level (e.g. medical practice,
hospital) and need not be at the individual clinician level. Once a provider obtains
patient consent, it may access the information of all other participating providers unless
the RHIO has voluntarily established additional restrictions on disclosures as indicated
below. It is required that providers and payers each obtain consent prior to accessing
The “one-to-one” exception is important to avoid significant unintended consequences
that could impact a range of electronic health information exchange activities that are
adequately regulated and do not constitute community-wide or statewide health
information exchange. However, further guidance is required to clearly distinguish the
line between “one-to-one” and community-wide/statewide exchange. More deliberation
and guidance is necessary regarding the boundaries of “one-to-one” exchange to
ensure that it is enforceable and effective, and does not disrupt existing techniques for a
clinician and provider to access information he/she ordered for a patient.
It also is important to note that to the extent public health reporting does not require
consumer consent under New York law, consent requirements related to RHIOs do not
apply to information exchange related to such reporting. However, public health
reporting has been recognized as a high priority for RHIOs in New York and RHIOs are
encouraged to integrate public health reporting into consumer education efforts.
Furthermore, the new consent policies and procedures for RHIOs apply only to
identifiable data. According to HIPAA, “de-identified health information neither identifies
nor provides a reasonable basis to identify an individual.” While greater clarity is
required regarding consent policies and procedures for de-identified data exchanged
through a RHIO for quality and population health measurement and reporting, clinical
research, among other purposes, this requires further deliberation that is beyond the
scope of this initiative and should be further developed through the statewide
collaboration process and approved by the State.
Finally, minimum technical protocols, standards and services serve as the floor for
RHIO policies and practices. RHIOs may choose to implement policies and practices
that exceed the protocols, standards and services defined by the state.
Affirmative Consent: Each provider organization and payer
organization participating in a RHIO must obtain an affirmative
consent from the consumer that specifically references the RHIO
prior to accessing her/his personal health information.
20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
information; a one time general consent which provides multiple organizations with
simultaneous consent will not be permissible for reasons discussed in Section VII.
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Health care providers may upload patient information without patient consent to a CDR
maintained by a RHIO if the RHIO is serving as the provider’s business associate and
the RHIO does not make the information accessible to other RHIO participants until
patient consent is obtained. Health care providers routinely enter into data storage and
management arrangements with electronic medical record hosting vendors, outsourced
data centers and other technology companies. Indeed, many facets of a provider’s
routine operations may be carried out by independent contractors who have access to
identifiable patient information, and this occurs without patient consent.
Providers and payers may, at their discretion, also seek consent prior to disclosure of
personal health information, but are not required to do so. This option is likely to be of
special interest to providers of particularly sensitive health services (e.g. family planning
and abortion service providers) because it would limit the access of other health care
providers (who had obtained their own consents) to this sensitive information unless the
patient expressly authorized the provider of the sensitive services to make the
information available.
Consumers must be able to prevent any or all provider and payer organizations from
accessing their personal health information via SHIN-NY governed by a RHIO without
being refused treatment or coverage.
In an emergency situation in which the consumer is unconscious or otherwise unable to
give or withhold consent, and the treating clinician determines that information that may
be held by the RHIO may be material to treatment, and the consumer has not previously
withheld consent for the provider organization to access his/her information, the RHIO
may allow the physician to access the consumer's information through “break the glass”
capability. The physician must attest that all of these conditions apply, and the RHIO
software must maintain a record of this access.
As indicated above, the transfer of data to an “Owner CDR” model would require a
HIPAA authorization in addition to meeting state standards related to affirmative
consent.
Up-Loading Data: Health care providers may upload patient
information to the SHIN-NY governed by a RHIO without patient
consent.
To date, New York regulatory authorities have not interpreted the State’s existing
medical privacy laws as requiring patient consent for the storage or management of
data by technology vendors acting on behalf of health care providers. If a vendor holds
patient data solely as a custodian of the provider and does not make the data available
to other entities, the storage arrangement is not treated as a “disclosure” to a third party
requiring consent under New York law. Accordingly, existing New York law does not
require providers to obtain patient consent to upload information to a RHIO as long as
21
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
the RHIO does not make the information accessible to other entities without patient
consent. No change in New York law is required in this area.
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Consent policies will be determined and applied according to the use of the information.
There are two levels of permissible uses and therefore two different standards of
consent. Level 1 Uses include uses that are likely to be expected by the consumer and
bring the consumer direct personal benefit, including information exchange for the
purposes of treatment, quality improvement and care management. A description of
Level 1 Uses follows.
This approach regarding patient consent is appropriate for three primary reasons. First,
information uploaded to a RHIO will not be viewed by other entities, and therefore
patient privacy will not be compromised. Second, the information held by the RHIO will
be subject to the RHIO’s obligations under its business associate agreements, which
track HIPAA requirements. Third, uploading information in this manner will expedite
providers’ access once patient consent is obtained or in an emergency thereby making
important clinical information available at the point of care. .
It is worth noting that the concept of “up loading” data – where information is held on
behalf of a provider or payer by a business associate – is not possible where the RHIO
is acting as an Owner CDR. RHIOs operating under an Owner-CDR model would be
required to obtain a HIPAA authorization and affirmative consent before any transfer of
data would be permissible.
Uses of Health Information: Permissible uses of health information
fall into two categories, each requiring different standards of consent.
•
Treatment: Treatment is defined as the provision, coordination, or management
of health care and related services among health care providers or by a health
care provider, and may include providers sharing information with a third party.
Consultation between health care providers regarding a patient; and the referral
of a patient from one health care provider to another also are included within the
definition of treatment.
•
Quality Improvement and Disease Management: These activities include
conducting quality measurement, assessment and improvement activities,
including outcomes evaluation and development of clinical guidelines,
population-based activities relating to improving health or reducing health care
costs, clinical decisions support and evidence-based clinical protocol
development, case management and care coordination, contacting of healthcare
providers and patients with information about treatment alternatives, and related
functions.
Any entity accessing information must have had a relationship with the individual who is
the subject of the information and the information must pertain to such relationship. In
22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
addition, disclosure of information for quality improvement purposes must be restricted
to the “minimum necessary,” consistent with requirements under HIPAA.
32
33
34
35
36
37
38
39
40
41
42
A single consent may be obtained to exchange all health information, including HIV,
mental health and genetic information, which must specifically be referenced in the
consent form. An exception to this rule is information from designated substance abuse
providers that are subject to current Federal law. Further guidance related to consent to
exchange information from federally qualified substance abuse providers through a
RHIO currently is being sought through the national HISPC process. Pending that
guidance, standards on the exchange of substance abuse information is expected to
mirror other specially protected health information.3
Level 2 Uses are less likely to be anticipated by the consumer or to bring direct personal
benefit. Level 2 Uses include research, marketing and other uses that are not Level 1
or prohibited. Descriptions of Level 2 Uses include:
•
Research: Research means a systematic investigation, including research
development, testing, and evaluation designed to develop or contribute to
generalizable knowledge, including clinical trials.
•
Marketing: Marketing means any communication about a product or service that
encourages recipients to purchase or use the product or service; or an
arrangement whereby a RHIO participant discloses consumer health information
to another entity, in exchange for direct or indirect remuneration, for the other
entity to communicate about its own products or services encouraging the use or
purchase of those products or services.
Standards for obtaining consent for Level 1 and Level 2 Uses will differ, with a more
streamlined process for Level 1 Uses and higher restrictions for Level 2 Uses.
Certain uses of information exchanged by or received from RHIO participants will be
prohibited. Prohibited uses include underwriting, discrimination and other such uses as
may be designated by the statewide collaboration process and approved by the State.
Finally, RHIOs also must have limitations on re-use and disclosure that provide
protections identical to those provided under HIPAA.
Sensitive Health Information: A single consent may be obtained to
exchange all health information, including specially protected health
information.
RHIOs and their participants may, but are not required to, offer consumers the ability to
screen certain types of sensitive information from exchange through the RHIO.
3
The Substance Abuse and Mental Health Service Agency (SAMHSA) intends to provide clarification to federal law
so that alcohol and substance abuse information can be included in health information exchange efforts with
affirmative patient consent.
23
1
2
3
4
5
6
7
8
9
10
11
12
13
Clinicians must have the discretion, in consultation with their patients, to withhold
information from the health information exchange.
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
A standardized consent form will be developed through the statewide collaboration
process and approved by the State for use by RHIOs. The State Department of Health,
at its discretion, may approve customized forms created by a RHIO so long as the form
complies with the minimum standards incorporated in the State’s form.
To ensure that consumers have knowledge of which providers are making the
consumer’s health information available through the RHIO, consumers must be
informed of the RHIO participants at the time of consent. If the RHIO enters into
contractual arrangements to share data with other RHIOs, consumers must be informed
of which RHIOs they share such information. Consumers also must be informed that
RHIO participants change over time and be given instructions on how to learn about
changes in RHIO participants. RHIOs must make available to consumers real time
information on which entities are participating in the exchange.
Consent Form: RHIOs must use a State-approved consent form.
The standardized consent form required for Level 1 Uses must include the following:
•
•
•
•
A description of the intended uses;
What information is being exchanged including specific reference to HIV, mental
health and genetic information;
The consumer’s right to revoke consent; and
Information about who is participating in the exchange including through data
sharing relationships with other RHIOs and how to stay informed about
participants in real time.
The standardized consent form required for Level 2 Uses must include all of the above
plus information about:
•
•
•
•
•
The specific entities with whom information will be disclosed;
For what specific purpose information is being exchanged;
Whether information is subject to re-disclosure;
Whether the RHIO or its participants will benefit financially from exchange of the
data; and
The expiration date of the consent.
Certain Level 2 Uses may require an authorization under HIPAA. As discussed above,
all exchange under the Owner CDR model also would require a HIPAA authorization. It
may be possible to combine the HIPAA authorization and the standardized state
consent form into a single document.
24
1
2
Durability and Revocability: RHIO consents are both durable and
revocable.
3
4
5
6
7
8
9
10
Consent for Level 1 uses are not time-limited but can be revoked at any time. Consent
for Level 2 Uses must be time-limited for a period specified in the notice. Revocation of
consent prevents a RHIO participant from accessing information through the RHIO in
the future. However, any data that has been accessed by the participant in the past will
remain part of the participants’ records.
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
New York State will facilitate a consumer education initiative. New York is currently
working in partnership with NYeC and consumer representatives to craft a public
education and consumer engagement initiative. The initiative will include the
development of consumer-centric materials geared towards ensuring consumers
understand how SHIN-NY and RHIOs change the way their health care information is
accessed as well as the potential benefits and risks. In addition, the New York State
Department of Health is seeking to participate in a Multi-state Consumer Education
Collaborative in the next stage of the federal HISPC initiative, with a state specific
project on development of educational materials around the consent process.
Consumer Engagement and Access: RHIOs must comply with
consumer education, engagement and access standards.
Robust consumer education standards will be developed and approved by the State to
ensure that consumers are aware of what they are consenting to and to whom their
personal health information is available. RHIOs must conform to consumer education
program standards developed by a statewide collaboration process and approved by
the Department of Health.
RHIOs must appoint at least one consumer representative to its Board. A consumer
representative is defined as a person whose interest in the RHIO is as a patient or
representative of patients and who does not otherwise participate in or have a financial
interest in the operation of a RHIO.
RHIOs must have policies in place related to consumers’ access to their own health
information through the RHIO and must inform consumers of those policies through
their education efforts. Both the federal privacy regulation and state law mandate that
certain covered entities and health care providers provide people with access to their
own health data. However, the law does not require the information be disclosed in
electronic form, even if such capacity exists. People often experience cost and
bureaucratic hurdles in getting copies of their health information, particularly if an acute
or chronic illness is involved, or if there are multiple providers. Thus, RHIOs pose an
opportunity for consumers to have one-stop-shopping, requesting their dispersed
information through a single electronic portal. At this early stage of development,
RHIOs should set their own policies as to the form, time period and cost for responding
to such requests. However, in the future, guidelines as to consumer access should be
developed as part of the statewide collaboration process.
25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
It is worth noting that as the market for consumer-driven health information products
grows, RHIOs will have increasing opportunities to work with third parties to facilitate
consumer access to their personal health information. A number of companies are
planning to offer software applications and services that will give consumers the ability
to organize and keep their personal health information in electronic form as a Personal
Health Record. Under current law, it is permissible for RHIOs to provide information to
such companies, provided such information is obtained through a valid state law
consent and, where necessary, HIPAA authorization. However, there is currently no
state regulatory framework for regulating third parties who gain access to information
through a HIPAA authorization and state law consent representing a gap in current law.
Use of such information therefore would be governed by (i) the terms of the consent; (ii)
the RHIO’s contract with the third party and (iii) the privacy policies of the third parties.
While beyond the scope of this paper, it is crucial that further consideration be given
and policy guidance developed to help RHIOs ensure protection of consumer interests
while facilitating consumer access to and control of their personal health information
through such third party arrangements. In the interim, the policies in this paper can be
looked to for guidance. Until such policy guidance is developed, proposals involving
state funds will be reviewed on a case-by-case basis to ensure adequate protection of
consumer interest.
24
25
26
27
28
29
30
31
32
33
34
35
RHIOs (or a third party designated by the RHIO) must conduct periodic audits no less
than annually. Audit reports, including identification of breaches, must be submitted
regularly to the Board, but also no less than annually. RHIO participants are required to
inform the consumer of breach (the consumer’s identifiable information is reasonably
believed to have been acquired by an unauthorized person) of the consumer’s health
information promptly upon detection. RHIOs and participants must make available to
the consumer upon request an audit trail of the consumer’s health information accessed
through the RHIO.
36
37
38
39
40
41
42
43
44
45
Recognizing the complexity and effort on the part of RHIOs and their participants in
implementing a standardized consent process, compliance with new consent policies
and procedures will be tied to significant and meaningful benefits for RHIOs. In the
immediate term, compliance with standardized consent policies will be a condition of
eligibility for access to Medicaid data and HEAL funds. Penalties of not complying with
consent policies will include loss of benefits described above.
Audits and Transparency: RHIOs must conduct audits at least
annually, inform consumers promptly of any breach and make audit
trails available upon request.
Benefits and Penalties: To be eligible for State funding through
HEAL and other initiatives, and to receive Medicaid data, RHIOs
must adhere to minimum consent policies and standards.
Enforcement: Consent standards initially will be enforced through
contractual relationships between RHIOs and New York State, and
should migrate towards accreditation.
26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
It is well understood that RHIOs are in the early stages of building their organizational
infrastructures and that much will be learned in the next several years with respect to
different models for ensuring consumer participation in health information exchange. In
the short term, RHIOs will be expected to implement the consent provisions adopted by
the State as part of their contractual agreements with the State. Such provisions will be
considered in light of the specific needs of each project allowing adequate time to
implement the consent procedures and, if necessary, transition from other models
deployed. Contractual agreements with the State will also take into account that
consent policies and procedures can be expected to evolve over the next few years
through a statewide collaboration process.
In the longer term, it can be expected that RHIOs will be subject to a broader State
regulatory framework which may include accreditation of RHIO governance, privacy and
security policies and other policies viewed as critical to the RHIO’s role in establishing
public trust as to the collection, storage and use of personal health information,
protection from liability under certain circumstances and defined penalties for breach of
RHIO obligations.
For public trust to develop there must be an open and transparent process for
establishing and monitoring RHIOs or similar entities charged with ensuring the privacy
and security of health information. Accreditation is the best vehicle for ensuring
accountability. An independent accreditation entity would include public and private
representation, ensuring input from consumers and other industry stakeholders. Ideally,
the accrediting entity would function as a public-private partnership, so that compliance
with accreditation criteria would confer benefits and penalties by State and Federal
officials. Additionally accreditation criteria would evolve as the health information
exchange movement matures allowing state and federal governments to recognize the
process accordingly instead of dictating one that is subject to continuous evolution for
the next several years. An accreditation process for RHIOs as entities governing health
information exchange would also mitigate state-by-state health information exchange
regulation perpetuating and exacerbating the current patch work of state laws severely
limiting multi-state and nationwide health information exchange.
35 V.
Discussion of Policy Considerations
36
37
Enables consumers to make informed decisions regarding their personal health
38
information and promotes trust.
39
40
41
42
While national surveys reveal that consumers generally support electronic collection,
storage and exchange of health information, concerns about the privacy and security of
their health information remain pervasive.4 An affirmative consent prior to accessing
personal health information is critical to earn consumer trust in RHIOs and to preserve
4
California Health Care Foundation. National Consumer Health Privacy Survey. 2005; Markle Foundation. Americans
Want Benefits of Personal Health Records. June 2003.
27
1
2
3
4
5
consumer trust in their healthcare providers. The policies advanced in this document
seek to balance the need to encourage providers and payers to build the technical
infrastructure and capacity to promote greater information sharing, while at the same
time maintaining the consumers’ ultimate rights to determine who has access to their
personal health information.
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Promotes provider access to complete patient records for clinical effectiveness
and tools to support quality improvements and cost reduction.
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Ultimately, the recommendations created a high standard for all health information.
First, the consent form specifies consent to exchange all information, including HIV,
mental health and genetic information. Second, by requiring that each provider
organization and payer organization obtain consent to access the patients’ health care
information, consumers are given the ability to exclude certain providers from accessing
health information through the exchange. Thus, patients can ensure that only trusted
entities have access to their information. Third, providers retain the discretion to
withhold information from the exchange. Some types of specialized providers in
particularly sensitive areas of practice, such as a genetics clinic, may choose to not
disclose any patient information from their practice and instead use the exchange only
to access data. In addition, clinicians will be given the discretion to consult with their
patients and make the best decisions for their care. Some providers may choose to
obtain consumer consent prior to uploading the consumer’s data to the RHIO. Finally,
the recommendations prohibit participants from conditioning payment or treatment on
execution of the consent, ensuring that consents are voluntary, not coerced.
36
37
38
At the same time, the policy helps ensure that clinicians have access to a complete
medical record to treat patients in their care, and does not require RHIOs to facilitate
filtering of patient data.
39
Supports payer access for the purposes of care management
40
41
42
The recommendations seek to facilitate broad use of health information for uses that
promote good medical care and treatment, whether such uses are part of provider or
payer directed initiatives. Consumer always have the right to limit access of any
Providers who have a full understanding of the patient’s relevant medical history are
best equipped to provide high quality, cost effective care. Throughout the HISPC
process, stakeholders have struggled with how best to ensure clinicians have the best
available information to consistently and comprehensively treat their patients, without
encouraging “self-protective” behaviors among patients concerned about the exchange
of particularly sensitive health information. Patients who are concerned that information
related to their healthcare could subject them to discrimination or embarrassment may
avoid treatment or attempt to mask information in the care relationship. This has led
some to suggest that certain types of information should be excluded from the
exchange, or subject to higher standards of consent. Others have noted that to exclude
sensitive health information would undermine the benefits of health information
exchange for the very populations who need it most.
28
1
2
3
organization to their personal health information, but with their consent, information is
freely transferable to support better medical decision making and a broad range of care
management and quality programs.
4
5
6
7
8
9
10
11
12
13
14
15
16
There are differing views as to whether third-party payers should have the same level of
access to information exchanged through RHIOs as health care providers. Advocates
of payer access argue that payers perform important case management and quality
improvement functions, and that payer participation in the RHIO will improve patient
care. It is also noted that payers are actual or potential financial supporters of many
RHIOs, but are unlikely to lend such support if they are subject to onerous access
limitations. Critics of payer access argue, in turn, that it is not within the reasonable
expectation of patients that a consent they sign at a health care provider site will
facilitate their insurer’s access to information. There is a concern that many patients will
feel misled when they learn their insurer has gained access to their information, without
regard to the actual language contained in the consent form. There is also suspicion
that payers may use information obtained through RHIOs against patients for
underwriting and other purposes unrelated to the delivery of medical care.
17
18
19
20
21
Imposing substantial restrictions on payer access to RHIO information is likely to
impede needed financial support for certain RHIOs and undermine legitimate payerbased quality improvement activities. However, permitting payers to access information
pursuant to patient consent obtained by providers poses an unacceptable risk of
consumer confusion and dissatisfaction.
22
23
24
25
26
27
28
29
30
To address these competing concerns, it is recommended that payers be permitted to
access RHIO information only if the payer has obtained its own consent from the patient
that specifically references the RHIO. A payer should not be able to rely on a RHIO
consent obtained by a provider or a general consent obtained by the payer that does
not reference the RHIO. In addition, the payer’s consent should permit use of the
information only for care management and quality improvement intended to benefit the
patient, not medical underwriting and similar practices. Finally, to ensure that the
patient’s consent is voluntary, payers should not be permitted to condition enrollment or
benefits on the patient’s willingness to sign the consent.
31
32
33
34
35
36
37
38
39
40
Promotes uniformity in privacy policies to be adopted and implemented by RHIOs
across New York State to achieve interoperability via SHIN-NY
41
42
In building consensus around a uniform policy, it was necessary to make some hard
choices as well as choices that are inconsistent with some current practices of emerging
One of the main goals of the policies advanced in this document is to promote uniform
adoption of privacy policies across RHIOs in New York State; thereby ensuring patient
information is truly portable through chain of trust agreements among multiple RHIO
networks comprising the SHIN-NY so that patient care improvements can be realized.
Uniform privacy policy adoption is critical to interoperability of information via the SHINNY and ensuring that consumers gain a common understanding of what it means to
consent to their information being accessed through a RHIO.
29
1
2
3
4
5
6
7
8
9
RHIO organizations. For example, the recommendations do not permit a one time,
multiple organization consent policy, but instead requires each provider organization
and payer organization to obtain consent to access information. Having the accessing
clinician or organization obtain consent will engage the organization in educating
consumers about the consent process. It also will allow consumers to connect the
consent decision to the specific entity to which the consumer is granting access whether it is at the office of their primary care physician, their local hospital, a specialty
care provider or at the point in time when they elect to select their health insurance
carrier.
10
11
12
13
14
15
16
17
18
19
20
Recognizes early state of development of RHIO business models and permits
flexibility in how market develops
21
22
23
24
25
26
27
It is understood that some RHIOs in New York are currently implementing privacy and
patient consent policies that do not align with the state’s strategy regarding the SHINNY and corresponding policy framework. These RHIOs therefore may need to modify
or adapt their privacy and consent policies based on the conclusion of this project and
policy guidance issued by the Department of Health. If applicable, the Department of
Health will work with individual projects to develop reasonable timelines and
approaches for implementing these changes.
28
29
30
31
32
33
34
35
36
37
38
39
Streamlines and clarifies process for obtaining patient consent to access and
disclose health information
40
41
42
43
Limits additional requirements on provider organizations
The recommendations take into account the early stage of many RHIO technical and
business models and takes great care to promote uniform adoption of consent policies,
without limiting or specifying the manner in which the policies are adopted by RHIOs.
The policies are technology neutral, so that they are adaptable to multiple technology
approaches, and will allow RHIOs to adapt to changes in the healthcare industry such
as evolving models of care, the emergence of new clinical practice models; increasing
emphasis on home care and community-based services, new payment models, quality
interventions and increasing consumerism and technological advances.
The recommended policies make clear that RHIOs may upload data without patient
consent to a CDR (central or distributed distribution model), thereby clearing the way for
RHIOs and their payer and provider partners to build a technical infrastructure that can
support real time data exchange. One of the main reasons for providing consumers
with protection and control over the health information through a consent to access
requirement, rather than a consent to disclose requirement, is because it is believed
that the latter would impose very real obstacles in the ability to build a system that
supports real time data exchange. Further, the policies abandon the “opt-in” versus
“opt-out” framework for a more holistic approach.
Understandably, there is significant concern among physicians and hospitals that new
rules not place burdensome obligations or unfunded mandates on clinicians whose
30
1
2
3
4
5
main focus is on providing treatment based on the best available information about the
patient. By requiring a simple access consent on a State approved form that covers all
types of health information, the recommended policies adopt a straightforward and
easily implementable solution for provider organizations that mirrors the process already
in place.
6
7
8
9
10
11
12
13
14
15
16
17
Some have argued that a better approach would be not to require any affirmative
consent at all, but to allow patients to “opt-out” of the system if they so choose. But this
approach is not workable under current New York State laws which require affirmative
consent. It also is inconsistent with New York’s longstanding protection of consumer’s
right to control who has access to their health information. Significantly, the policy
recommendations are careful to avoid unintended consequences. This is done by
focusing the consent rules to health information exchange via SHIN-NY governed by
RHIOs, and by making it clear that the rules do not apply to one-to-one exchanges.
While the RHIO might use technology to facilitate the delivery of the physician ordered
results, the nature of that exchange is no different than transmission by a facsimile
machine. It is predictable and foreseeable to the patient, and does not expose the
patient to any greater risk of disclosure.
18
19 VI.
Next Steps
20
21
After review of comments submitted in response to this document, the State
22
Department of Health will issue final policy guidance and take action to include its
23
recommendations in all future contracts with RHIOs in New York State and inform future
24
legislative and regulatory proposals. The contract provisions will require RHIOs to:
25
26
• Adopt privacy policies and procedures consistent with State recommendations;
27
• Use the standardized RHIO consent form approved by New York State to access
28
identifiable health information via the SHIN-NY governed by a RHIO; and
29
• Participate in a consumer education program initiative launched through the
30
statewide collaboration process to support the Privacy Policies and Procedures.
31
32
It is also recognized that further work and ongoing guidance is necessary to ensure the
33
successful implementation of these standards. The recommended standards seek to
34
provide specific, implementable policy guidance to RHIOs. Several areas have been
35
identified in which more process and thought is necessary before specific
36
recommendations can be put forth. In those instances, further action through a
37
statewide collaboration process is recommended.
38
39
New York State is implementing a statewide collaboration process to advance a
40
governance and policy framework for health information technology initiatives across
41
the State. The purpose of the statewide collaboration process is to:
42
31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
•
•
•
Providing a convening vehicle for the State and the health care community to
collaborate on key areas of New York’s health information technology agenda,
starting with HEAL NY Health IT projects;
Providing a forum to discuss and collaborate on health IT policy priorities; and
Coordinating and harmonizing the implementation of regional HIE and quality
and population health IT tools.
The New York eHealth Collaborative (NYeC), a NYS not-for-profit corporation is
facilitating the state level collaboration process and providing technical assistance to
HEAL grantees. The Department of Health is participating in the collaboration process
as a public-private partnership. NYeC’s mission is to improve health care quality and
efficiency through health IT and is comprised of health care leaders across the State,
including physicians, hospitals, health plans, public health officials, safety net providers,
employers, consumer and health care advocates, quality and regional health
information organizations, and includes participation by health information service
providers (vendors) and health care associations.
Among the issues that will require attention through a statewide collaboration process
are:
•
•
•
•
•
•
Further definition of “one-to-one” health information exchange;
Development of consumer education materials and campaign;
Develop policy guidance to help ensure protection of consumer interests while
facilitating consumer access to and control of their personal health information;
Consent policies and procedures for use of de-identified data exchanged through
RHIOs, focusing on ensuring adequate protections against reidentification;
Consent policies and procedures relating to minors; and
Consent policies and procedures relating to information obtained from federally
qualified alcohol and substance abuse facilities.
32VII.
Acknowledgements
33
34
35
The white paper is a product of the Office of Health Information Technology
36
Transformation, New York State Department of Health. It is a result of a 2 year
37
statewide public process comprised of many contributors, including a Steering
38
Committee, a Legal Committee and multi-stakeholder workgroups.
39
40
In the last six months, NY HISPC, as part of Phase II, held three stakeholder meetings
41
to build consensus around a patient consent solution. The meetings were well attended
42
with participation from diverse stakeholders across the state, including providers,
43
payers, employers, business leaders, health IT leaders, pubic health, consumer and
44
health advocacy representatives, and government, among others.
45
32
1
2
3
4
5
6
7
A special acknowledgement goes to Tom Check, Visiting Nurse Service of New York,
Rachel Block, United Hospital Fund and Interim Executive Director of NYeC, and Dan
Tietz AIDS Institute, DOH for their facilitation at the stakeholder meetings and to the
panelists who participated in the consensus building process.
The white paper was drafted by a subgroup of the NY HISPC Phase II Team, including:
33
New York State Department of Health
Lori Evans, Deputy Commissioner
Jonathan Karmel, Esq
James Figge, MD
Ellen Flink
Jean Quarrier, Esq
Keegan Bailey
C. William Schroth, Consultant
Manatt, Phelps and Phillips
William Bernstein, Esq
Robert Belfort, Esq
Melinda Dutton, Esq
Kalpana Bhandarkar
Health Privacy Project
Janlori Goldman, JD
Lygeia Riccardi
The stakeholder meetings were attending by the following participants:
William Artz
Keegan Bailey
Edo Bancah
Alison Banger
Randy Barrows
Robert Belfort
William Bernstein
Kalpana Bhandarkar
John Blair
Rachel Block
Nick Bonvion
Deborah Brown
Laray Brown
Thomas Check
Frances Ciardullo
Martin Conroy
John Coppola
Caron Cullen
Liz Dears
Jim DeMarco
Lammot DuPont
Melinda Dutton
Simminate Ennever
Linda Erlanger
Lori Evans
James Figge
Ellen M. Flink
Christina Galanis
Jim Garnham
Luke Garvey
Jeff Gilbert
Walter Ginter
Sunergos
NYS DOH
VNSNY
RTI
Med Allies
Manatt, Phelps & Phillips
Manatt, Phelps & Phillips
Manatt, Phelps & Phillips
Taconic IPA
United Hospital Fund
CTG
Greater NY Hospital Association
NYC Health & Hospital Corp.
Visiting Nurse Services of New York
Fager and Amsler
NYS DOH
NY Assn of Alcoholism & Substance Abuse
Affinity Health Plan
Medical Society of New York
Hudson Health Plan
Manatt, Phelps & Phillips
Manatt, Phelps & Phillips
Stony Brook University Medical Center
Affinity Health Plan
NYS DOH
NYS DOH
NYS DOH
Southern Tier Health Link
GRIPA
VNSNY
PPFA
NAMA
34
Janlori Goldman
Stacey Goldston
Caroline Greene
Pat Hale
Carl Hatch
John Hatchett
James Heiman
Mary Ellen Hennessy
Martin Hickey
Judy Iversen
Natasha Johnson
Lee Jones
Jonathan Karmel
Edward Kemer
Irene Koch
Dianne Koval
Ted Kremer
Karen LeBlanc
Matthew Lesieur
Art Levin
Michelle Lopez
Wilfredo Lopez
Alex Low
Gloria Maki
Anne Maltz
Vesna Marincek
Al Marino
Glenn Martin
Anita Marton
Farzad Mostashari
Ray Murphy
Eric Nielsen
Heather O'Connor
Katie O'Neill
Ingrid Pessa
Peter Poleto
Dan Porreca
Ronald Pucherelli
Jean Quarrier
Tom Quinn
Barbara Radin
Lygeia Ricciardi
Laura Rosas
Alice Rothbaum
Beth Roxland
Jerry Salkowe
Lisa Santelli
C. William Schroth
Amelia Shapiro
Nance Shatzkin
Tom Silvious
Ben Smith
Robin Smith
Steven Smith
Ben Stein
Seth Stein
Columbia College
North Shore LIJ Health System
Planned Parenthood of NYC
Adirondack Regional Community Health
NY Assn of Alcoholism & Substance Abuse
Cicatelli Associates
LIPIX RHIO
NYS DOH
Excellus
Visiting Nurse - New York
NYCLIX, Inc.
Med Allies
NYS DOH
Rochester RHIO
Maimonides Medical Center
Med Allies
Rochester RHIO
Seton Health
NY Aids Coalition
Center for Medical Consumers
CHNNYC
Consultant
United Hospital Fund
AIDS Institute Consultant
Herrick Feinstein
NYS OMH
Queens Consortium
Queens Health Network
Legal Action Center
NYCity Dept Health & Mental Hygiene
HIXNY
GRIPA
ARCHIE
Legal Action Center
GHI
HANYS
Health Link - Western NY
Medical Society of New York
NYS DOH
Community General Hospital
Bronx RHIO
Columbia College
NYS Dept. of Health & Mental Hygiene
NYS DOH OH & Mental Hygiene
NYS Task Force on Life and the Law
MVP Healthcare
Excellus
NYS DOH
Queens Health Network
BX RHIO
CSC Consulting
Physician Technology Initiatives
ARCHIE
NYS DOH
NSHS
NYS Psychiatric Association
35
Susan Stuard
Zeynep Summer
Robert Swidler
Dan Tietz
Deborah Tokos
Benny Turner
Dwayne Turner
Asha Upadhyay
Rebecca Urbach
Thomas White
Stephen Wiest
Sumer Zeynep
NY Presbyterian Hospital
GNYHA
NE Health
NY Aids Institute
UHS
Bronx RHIO
NYS DOH MH
THINC RHIO
GNYHA
NYS OMH
NYS Insurance Department
GNYHA
NY HISPC Phase I Team
Steering Committee
Gus Birkhead, MD
Rick Cotton
Lisa Wickens
Tom Quinn
Philip Gioia, MD
Michael Caldwell, MD
Wilfredo Lopez
Katie O’Neill
Tom Buckley
John Rugge, MD
Harriet Pearson
Laray Brown
William Cromie
Fred Cohen, Esq.
Bridget Gallagher
Deputy Commissioner, Office of Public Health
VP & General Counsel, NBC Universal Inc.
Asst. Director, Office of Health Systems Management
CEO, Community General Hospital
Medical Society of the State of New York (MSSNY)
Commissioner of Health, Dutchess County
General Counsel Emeritus and Consultant,
New York City Dept. of Health & Mental Hygiene
Senior VP & HIV/AIDS Projects Dir., Legal Action Center
CEO, Visiting Nurse Association of Albany
Hudson Headwaters Health Network
VP Corporate Affairs & Chief Privacy Officer, IBM
Senior VP, NYC Health & Hospitals
President & CEO, Capital District Physicians’ Health Plan
Senior VP and General Counsel, Independent Health
Senior VP, Jewish Home & Hospital Lifecare System
Legal Committee
Robert Belfort, JD
William Bernstein, JD
Deborah A. Brown, JD
Anna Colello, JD
Melinda Dutton, JD
Janlori Goldman, JD
Jonathan Karmel, JD
Wilfredo Lopez, JD
Anne Maltz, RN, JD
Donald Moy, JD
Katie O’Neill, JD
Jean Orzech Quarrier,JD
Sarah D. Strum, JD
Robert N. Swidler, JD
Manatt, Phelps & Phillips, LLP
Manatt, Phelps & Phillips, LLP
Greater New York Hospital Association
New York State Department of Health
Manatt, Phelps & Phillips, LLP
Health Privacy Project
New York State Department of Health
New York City Department of Health & Mental Hygiene
(retired 12/22/06)
Herrick, Feinstein LLP
Medical Society of the State of New York
Legal Action Center
New York State Department of Health
Catholic Health Care System
Northeast Health
36
Variations Workgroup
The following organizations participated in the HISPC statewide business practice variations workgroups.
ACOG
Albany Medical Center
Albany Memorial Hospital
Anheuser Busch
Association - Women's Medicine
At Home Care, Inc.
Bellevue Hospital
Bronx RHIO
Brownsville
Calvary Hospital
Cayuga Medical Center
Centrex Clinical Labs
Childrens Health Fund
Community Care Physicians
Community Health Center
Crystal Run Healthcare
Department of Corrections
Excellus Health Plan
Genesee Region Home Care & Hospice
Glens Falls Hospital
GNHYA
Greater Rochester RHIO
Greenberg Traurig LLC
Greene County Public Health
Harrison Center Outpatient
Health Care Providers
Health First
Hill Haven Nursing Home
Hometown Health Center
Hospital for Special Surgery
IBM
Institute for Urban Family Health
Interim Health Care
IPRO
Kings County Hospital
Kodak
Lab Alliance of Central New York
Lutheran Family Health
Memorial Sloan Kettering
Montefiore Medical Center
MSSNY
N. Shore LIJ Health System
Nathan Littauer Hospital
New York Presbyterian
New York University
Northeast Ortho
NY Health
NYC Health & Hospitals Corp.
NYC Health Plan
NYC Health/Hospitals Corporation
NYCLIX
NYHQ
NYS Association Healthcare Providers, Inc.
NYS Association of Health Systems
NYS Clinical Lab
NYS DOH AIDS Institute
NYSHFA
OMH
Prime Care
PSSNY
Queens Health Network
Revival Healthcare
Rochester Business Alliance
Saratoga Hospital
Seton Health Systems
St. Ann's Community
St. Peter's Hospital
St. Vincent's Manhattan
St. Vincent's Medical Center
Staten Island University Hospital
Stony Brook University
Strong Memorial Hospital
SUNY Stony Brook
Syracuse Chamber
UB Associates
United Health Services
Unlimited Care
Visiting Nurse Service of New York
VNA of Central New York
VNA of Hudson Valley
VNS/Signature Care
Westside Health Services
Solutions Workgroup
Abbondandolo, Donna
Angrignon, Rachel
Baig, Aleem
Beato, Patricia
Blair, M.D., John
North Shore LIJ Health System
Fidelis Care
Metro Plus
University of Rochester Medical Center
Taconic IPA, Inc.
37
Borges, Linda
Brucker, Julie
Burke, Donna
Calicchia, Eric Kate
Chevalier, Lynn
Cirillo, Joseph S. JD
Clancy, Cathy
Cooper, Ellen
Ehlinger, Bryan
Ehrmentraut, Sheryl
Galanis, Christina
Garnham, James
Gillian, Paul
Groszewski, Walter
Heywood, Nancy
Hoover, Robert
Iversen, Judy
Iyer, Radhika
Jacomine, Douglas
Jaffe, Anita
Julier, Kevin P.
Kelly, William P.
Kendall, Mat
Koch, Irene
Kremer, Ted
Lurin, Joseph
MacMullen, Georgie
Majkowski, Ken
Martin, Donald
Martin, Dr. Glenn
Martucci, Joe
McCarthy, Kelley
Meron, Stephanie
Murphy, Marie
Novak, Carla
O’Connor, Bill
Pucherelli, Ron
Radin, Barbara
Reed, Marian
Reynolds, Cindy
Reynolds, Rita
Richards, Cindy
Rudhika Iyer
Schriber, Mary Jane
Shatzkin, Nance
Silvious, Thomas
Taubner, Richard
Uhrig, Paul
Upadhyay, Asha
Wendell, Matthew
Zink, Brian
MVP Health Care
Saratoga Hospital
HealthNow
Greenberg, Traurig
Next Wave, Inc.
Brooklyn Hospital Center
Hudson Health Plan
New York State Assoc of Ambulatory Surgical Centers
Oneida Healthcare Center
Family Champions
So. Tier Healthlink RHIO
Greater Rochester IPA
CDPHP
IBM
NYS Dept. of Correctional Services
Independent Health
Visiting Nurses
HealthNow
CDPHP
MVP Health Plan
IBM
Treo Solutions
DOHMH
Maimonides Medical
Greater Rochester RHIO
GHI
North Shore LIJ Health System
Rx Hub LLC
Fidelis Care
Queens Health Network
NYS Cyber Security & Critical Infrastructure Coor.
So. Tier Healthlink RHIO
HealthNow
Maimonides Medical
HANYS
HIP Health Plan
MSSNY
Bronx RHIO
McKesson Corp.
NYHIMA & Hill Haven Nursing Home
Memorial Sloan Kettering
HIXNY
HealthNow
BXRHIO
CSC Consulting
HeatlhNow
SureScripts
Taconic IPA, Inc.
MVP Health Care
CDPHP
38
Implementation Workgroup
Carol Allocco
Nick Augustinos
Ellen Bagley
Chris Baldwin
Nancy Barhydt
Patricia Beato
Maryam Behta
Beverly Benno
Jo Berger
Bill Birnbaum
Erin Blakeborough
Rachel Block
Maura Bluestone
Jim Botta
Alan Boucher
Tammy Breault
Deborah Brown
Julie Brucker
Thomas Buckley
Michael Burgess
Ann Burnett
Rachel Burwell
Blair Butterfield
Thomas Carpenter
Diane Carroll
Scott Casler
John Cauvel
C. Lynn Chevalier
Nicholas Christiano
Elizabeth Cole
Ellen Cooper
Rick Cotton
William Cromie
Alice Cronin
Liz Dears
Linda Deyo
Gregory Dobkins
Maryann Dubai
Heather Duell
Kathleen Duffett
Kevin Dumes
Craig Duncan
Tom Ellerson
Simminate Ennever
Lori Evans
Donna Farago
Debra Feinberg
James Figge
Carol Furchak
Christina Galanis
Beth Gallo
Johnson & Johnson
Cisco
NYSHFA
Northeast Health
New York State Department of Health
University of Rochester Medical Center
New York Presbyterian Hospital
Eden Park Health Care Center
NYSDOH
Unlimited Care, Inc.
New York Association of Health Care Providers, Inc.
United Hospital Fund
Affinity Health Plan
NYS DOH- Medicaid
Intel
Seton Health System
GNYHA
Saratoga Hospital
VNA of Albany, Inc.
New York State Alliance for Retired Americans
NYSDOH - AIDS Institute & Uninsured Care Programs
Cerebral Palsy of the North Country
GE Healthcare
Affinity Health Plan
North Country Children's Clinic
Lifetime Care
Next Wave Inc
Health Quest
Greene County Public Health Nursing Service
Executive Woods Ambulatory Surgery Center
NBC Universal, Inc
CDPHP
Nyack Hospital
Medical Society of the State of New York (MSSNY)
Greene County Public Health Nursing Service
NYSDOH
Rome Memorial Hospital
NYSDOH AIDS Institute
Kathleen Duffett, RN, JD, Attorney at Law
Syracuse University
NYeC Board Member
Lourdes Hospital
Stony Brook University Medical Center
Manatt Health Solutions
Our Lady of Mercy Medical Center
NYSCHP
NYSDOH - Office of Health Insurance Programs
Crystal Run Healthcare
Southern Tier HealthLink
Waiting Room Solutions
39
Jim Garnham
Denise Giglio
Sharon Gonyeau
Mary Hand
Ken Harris
Martin Hickey
Jeffrey Hirsch
Susan Huntington
Matthew Jarman
Robin Jones
Annette Kahler
Mary Kenna
Brett Kessler
Al Kinel
Irene Koch
Susan Koppenhaver
Ted Kremer, MPH
Franklin Laufer
Karen LeBlanc
Arthur Levin
Liz Lonergan
Joseph Lurin
Monica Mahaffey
Anthony Mancuso
Glenn Martin
Aileen Martin
Roberto Martinez, MD
Joseph Martucci
Mary Ann McGriel
David McNally
John Mills
George Mina, Jr.
Lanetta Moore
Farzad Mostashari
Betsy Mulvey
Debra Mussen
Cynthia Nappa
Carla Novak
Jeong Oh
Renee Olmsted
Katie O’Neill
Michael Oppenheim
Johannes Peeters
Joe Phillips
Scott Pidgeon
Ron Pucherelli
Barbara Radin
Laurie Radler
Carol Raphael
Rita Reynolds
Cindy Richards
Salvatore Russo
John Shaw
Ben Smith
Robin Smith
Joseph Sorrenti
GRIPA
Visiting Nurse Association of Utica and Oneida County, Inc.
Cerebral Palsy of the North Country
Glens Falls Hospital
NYAHSA - The Center
Excellus BC/BS
Waiting Room Solutions
Glens Falls Hospital
American Red Cross
CMIp
Albany Law School
Group Health Incorporated
Bellevue Woman's Hospital
Kodak
Maimonides Medical Center
Eden Park Health Care Center
Greater Rochester RHIO
NYSDOH - AIDS Institute
Seton Health
Center for Medical Consumers
Syracuse University College of Law
Group Health Incorporated
Visiting Nurse Regional Health Care System of Brooklyn
Maimonides Medcial Center
Queens Health Network
North Country Children's Clinic
CDPHP
NYS Office of Cyber Security
Castle Senior Living at Forest Hills
AARP
HIP Health Plan
Canton-Potsdam Hospital
Phase PiggyBack,Inc.
New York City Department of Health and Mental Hygiene
NYHPA
CVPH Medical Center
SUNY Upstate Medical University
Healthcare Association of NYS
Syracuse University
Oneida Healthcare Center
Legal Action Center
North Shore LIJ Health System
Tioga County Health Department
Aurelia Osborn Fox Memorial Hospital
Palladia, Inc.
Medical Society of the State of New York (MSSNY)
The Bronx RHIO
Montefiore Medical Center
Visiting Nurse Service of New York
Memorial Hospital
Northeast Health
NYC Health & Hospitals Corporation
Next Wave Inc.
Greater Rochester IPA
ARCHIE
Interfaith Medical Center
40
Keith Stack
Susan Stuard
Zebulon Taintor
Deborah Tokos
Asha Upadhyay
Teresa Yennan
Daniel Walden
Mary Welch
Robert Westlake, Jr MD
John White
Dianne Wilson
Lynn-Marie Wozniak
Alcoholism and Substance Abuse Providers of NYS
New York Presbyterian Hospital
Medical Society of the State of New York (MSSNY)
United Health Services
THINC RHIO, Inc.
Baptist Health
Medco Health Solutions
Trudeau Health Systems
NY Chapter, American College of Physicians
Our Lady Of Lourdes Hospital
American Red Cross, New York-Penn Region
Next Wave
41